[Full Disclosure] Live mtgox.com trade matching bug.

[trentzb]

@jrmithdobbs

Did you notify MT about this issue prior to disclosure? Ahh, I just caught your reply.

I don't have a strong infosec background so please excuse my naivety, can I ask, do you typically notify targets of vulns prior to public release or do you do both simultaneously or ??

I don't intend to start a debate of the pros/cons, just trying to get some info for when you probe my service.

[1714092448]

1714092448

[1714092448]

1714092448

[1714092448]

1714092448

[1714092448]

1714092448

[1714092448]

1714092448

[psyborgue]

Happy,

Please don't repeat the OP's false insinuation that he somehow found an exploit.  It's a display bug.  Nothing more, and drawing such public (false) light to it serves no purpose but to make Mt. Gox and bit coin look bad.  Something the OP was seeking, i'd wager.  Yes, there is a time for full disclosure, but it's only after private channels have failed to fix the issue.

[jrmithdobbs]

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing?

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder

Maybe YOU don't. Plenty of people do.

There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).

Not my problem. If you're so worried about this particular scenario maybe you should be lobbying the bitcoin vendors you use to open their systems or publicly disclose results of code/security audits, etc.

I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox.

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.

[wumpus]

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.

Are you sure about that? I've followed it a bit, and from what I read the security issues were solved pretty fast. Sometimes even before people could report them.

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

Anyway whatever the real story is, I don't agree that gives you a reason to nail him to the pillory for every little issue you find after this.

Oh noo! a misspelled word in the interface! ... full disclosure!

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

[psyborgue]

What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing

Fool.  You see no further than the immediate.  LulzSec did nothing more than create an excuse for the authorities to try and clamp down on the Internet and/or bit coin (how they were seen to be funded).  For an added bonus, they mixed in immigration and drug issues into their troll.  Now the average Joe will welcome the "protection" of our brand new, locked down, internet -- free from the dangers inherent to anonymity.  Technology may not exist now, or ever, but they, and the momentum they have created, will certainly create the demand.

Similarly, your actions reflect on bitcoin itself in the public eye, and you don't seem to care.  I wonder why.

[ruhvix]

Thank you to Mr. jrmithdobbs for reporting the issue and to MagicalTux for responding to it so quickly (especially given all the other urgent MtGox stuff MagicalTux must be dealing with).

This confirms that MtGox is absolutely committed to an extremely high level of security. Bitcoin is fortunate to have experts like jrmithdobbs helping the community defend against threats to our financial safety.

Muchos gracias to you both!

[jrmithdobbs]

The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

He also ignored attempts to report the nasty CSRF, that came to light right before that all went down, for about a week. But, I digress.

I have no plans to "nail him to the wall" for every mistake. In fact, I will probably not be looking at mtgox at all after the next 72 hours.

And to clear things up, this is a little more than just a display bug. This is also the cause of the weirdness people have been reporting about it dropping from 17->15 etc without executing orders in-between.

Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

It is a trade matching bug. Trades are not revalidated on withdrawal/deposit to the account. I never claimed it was an exploit. "Exploiting" in the original text is the normal english use of the word, not the info-sec use. So no, I will not change the title.

[DrYe5]

Thanks to OP for info. Mt. Gox should have already addressed the price spikes.

Also good to know this is the only bug.

[BitterTea]

Also good to know this is the only bug.

How do you infer this from the available information?

[mizerydearia]

jrmithdobbs,

You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder if you have even a shred of common sense or intelligence.

I'm confused.

http://en.wikipedia.org/wiki/Zero-day_attack

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer, also called zero-day vulnerabilities.

[You] never release 0-day exploits without notifying original coder?  Seems like 0-day, by definition means you always release 0-day exploits without notifying original coder, otherwise it is not a 0-day exploit.

Also good to know this is the only bug.

How do you infer this from the available information?

Maybe this?

At the very least this could be used to influence market conditions if it is only a display bug.

[mizerydearia]

appended to previous post

Mods: Delete this obnoxious (due to size) and useless post

[DrYe5]

Also good to know this is the only bug.

How do you infer this from the available information?

One cannot. It underlines the fact that more bugs are extremely likely.

[kloinko1n]

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.

Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure

[DrYe5]

I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.

Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure

Awww man... that disclosure got goxed.

[kloinko1n]

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.

Ah! So there's your grief!

[MeSarah]

MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

[Tasty Champa]

MT and MtGox have been given every opportunity to to fix their system. Even after being told there were major exploits MT took his time to fix the exploits until the shit hit the fan. It is clear to me that MT is an egotistical programmer. He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.

Every bug or security flaw found at MtGox should be disclosed publicly cutting MT out of the loop. If MT didnt know about the flaw then its his fault for not properly testing his system. Its time to leave MtGox for good. Let MtGox wither in their own mismanagement.

CampBX will be open soon. It looks to be the most thoroughly tested of the exchanges.

If you continue to use a known flawed system then its you who deserves what you get. If you drive a cars that is always over heating and the motor burns up, well then you got what you deserved. You knew of the problem but you kept using the car.

Protect yourself and leave MtGox now!

HAHAHAHAH
My Gox what have done Bipolar internetz!
That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it. O.O /hides

[MeSarah]

That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

[Tasty Champa]

That is exactly like saying, woman dresses like slut, woman dress like slut gets raped, woman dress like slut gets raped and deserves it.

Could you be any more offencive? I guess thats just your social mores. We know where you stand on gender equality.

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

[MeSarah]

Your reasoning is in conflict with your ability to have a fulfilling conversation.
Lashing out at anyone who does not share your viewpoints, is the key motivator for war.
You are authoritarian.

Another non sequitur.